Mobile service routing in a network environment

ABSTRACT

A data flow is received from a mobile network relating to a mobile subscriber. Subscriber data is received for the subscriber identifying a service path corresponding to the subscriber and at least one service policy corresponding to the subscriber, the service path including a set of network service nodes in a plurality of network service nodes. Packets of the data flow are routed according to the service path, the packets corresponding to a request for a resource. At least one packet is appended with service header data identifying the service policy. Each service node performs at least one service based on received request data, each service node in the set of service nodes performing a service defined in a service subscription of the subscriber. At least one particular service node in the set of network service nodes performs a particular service based at least in part on the service policy.

TECHNICAL FIELD

This disclosure relates in general to the field of communications and, more particularly, to service routing in a mobile communications environment.

BACKGROUND

Networking architectures have grown increasingly complex in modern communication environments. As the subscriber base of end users increases and the services offered to those subscribers grows more complex, proper routing and efficient management of communication sessions and data flows becomes critical. Mobile networks exist providing mobile computing devices access to remote resources, including Internet-based resources. Further, mobile services exist that can be delivered over such networks including hardware security module service, firewall services, intrusion prevention services, intelligent messaging filter, content filtering, and other services. Mobile connectivity and services continue to grow in popularity and complexity, particularly as users rely more and more on accessing the Internet, web-based services and software, and other resources over a growing base of mobile devices, including smart phones and tablet computers armed with mobile internet access provided by various mobile network operators.

BRIEF DESCRIPTION OF THE DRAWINGS

FIG. 1 is a simplified block diagram of a mobile communications system.

FIG. 2 is a simplified block diagram of an example gateway system of a traditional communications systems used in connection with a plurality of services.

FIG. 3A is a simplified block diagram illustrating control plane interactions within a mobile communications system including a mobile gateway and policy control engine.

FIG. 3B is a simplified block diagram illustrating data plane interactions within a mobile communications system including a mobile gateway and policy control engine.

FIGS. 4A-4B are simplified block diagrams illustrating example functions of an example mobile communications system including a mobile gateway and policy control engine.

FIG. 5 is a simplified flowchart of an example technique for providing a service-aware mobile gateway.

Like reference numbers and designations in the various drawings indicate like elements.

DETAILED DESCRIPTION OF EXAMPLE EMBODIMENTS Overview

In general, one aspect of the subject matter described in this specification can be embodied in methods that include the actions of receiving a first data flow from a mobile network relating to a first mobile subscriber. First subscriber data can be received for the first mobile subscriber, the first subscriber data identifying at least one first service path corresponding to the first mobile subscriber and at least one first service policy corresponding to the first mobile subscriber, the at least one first service path including a first set of network service nodes in a plurality of network service nodes. Routing of at least one packet of the first data flow can be initiated over a network according to the first service path, the at least one packet corresponding to a request for at least one web-based resource. Initiating routing of the at least one packet can include appending the at least one packet with service header data identifying the at least one first service policy. Further, each service node in the plurality of network service nodes performs at least one service based at least in part on received request data, each service node in the first set of service nodes performs a service defined in a service subscription of the first mobile subscriber, and at least one particular service node in the first set of network service nodes performs a particular service based at least in part on the at least one first service policy.

These and other embodiments can each optionally include one or more of the following features. The first service path can be one of a plurality of predefined paths. Data can be received identifying a registration of a new service path for inclusion in the plurality of predefined paths, the new path including a new service provided using a particular service node. Path data can be stored for use in initiating routing of data through the new service path. Each path in the plurality of predefined paths can be adapted to route data to at least one service provided by a service node in the plurality of network service nodes. The service header data can further identify the at least one first service path name. The first path can specify an ordered routing of the at least one packet to each of the service nodes in the first set of service nodes. The first subscriber data can be received from a policy control engine, the policy control engine maintaining subscriber data for each of a plurality of mobile subscribers. The policy control engine can include at least one of AAA, HLR, or HSS data. At least one return packet can be received from at least one of the first set of network service nodes, the return packet corresponding the first data flow and including data, such as an appended tag, identifying a condition of a first service node in the first set of network service nodes. An aspect of the at least one first service path can be at least temporarily modified based at least in part on the identified condition of the first service node. Further, services provided by the first set of service nodes can include at least two of a firewall service, deep packet inspection (DPI) service, content filtering service, intrusion prevention service, intelligent message filtering service, VOIP service, ad insertion service, and online video service. The first subscriber data can include accounting date data corresponding to the service subscription of the first mobile subscriber. The service header data can further include the accounting date data and the particular service node can perform the particular service further based, at least in part, on the accounting date data.

Other features can include receiving a second data flow from the mobile network relating to a second mobile subscriber. Second subscriber data can be received for the second mobile subscriber, the second subscriber data identifying at least one second service path corresponding to the second mobile subscriber and at least one second service policy corresponding to the second mobile subscriber. Routing of at least one packet of the second data flow can be initiated, over the network, according to the second service path, the at least one packet of the second data flow corresponding to a request for at least one web-based resource. Initiating routing of the at least one packet of the second data flow can include appending the at least one packet of the second data flow with service header data identifying the at least one second service policy. Each service node in the second set of service nodes can perform a service defined in a service subscription of the second mobile subscriber, at least one particular service node in the second set of network service nodes performing a particular service based at least in part on the at least one second service policy, the second set of service nodes being different from the first set of service nodes.

Still other features can include receiving data identifying a change to the service subscription of the first mobile subscriber. A second data flow can be received from the mobile network relating to the first mobile subscriber. Modified subscriber data can be identified for the first mobile subscriber, the modified subscriber data including subscriber data different from the first subscriber data, based at least in part on the change. The at least one first policy can correspond to a particular service provided by at least one particular network service node in the first set of network service nodes, wherein the particular service is adapted to be performed in accordance with at least one of a plurality of particular policies, and the at least one first policy is one of the plurality of particular policies. A first IP-address-independent-identifier can be generated corresponding to the first mobile subscriber, where the service header data further includes the first IP-address-independent-identifier. An IP-address-independent-identifier can differentiate a first mobile subscriber from a second mobile subscriber sharing the same IP address.

Further, a policy control engine can maintain subscriber data for a plurality of mobile subscribers, the subscriber data for each mobile subscriber in the plurality of mobile subscribers including at least one particular service path name corresponding to a subscription of the corresponding mobile subscriber, the subscription for each mobile subscriber in the plurality of mobile subscribers including at least one service from a plurality of available services to which the corresponding mobile subscriber is subscribed. At least one particular service policy name can correspond to at least one of the services to which the corresponding mobile subscriber is subscribed. A routing module can receive the first subscriber data for the first mobile subscriber from the policy control engine. The policy control engine can also be configured to receive subscription modification requests relating to at least one mobile subscriber and modify subscriber data in accordance with the subscription modification request. A subscription modification request can identify a change to a particular service policy of a particular service subscribed to by a particular mobile subscriber in the plurality of mobile subscribers. A subscription modification request can also identify a change to the services to which a particular mobile subscriber is subscribed, and a corresponding service path corresponding to the particular mobile subscriber can be modified to reflect the change to the services to which the particular mobile subscriber is subscribed. A service policy name corresponding to the particular mobile subscriber can be modified to reflect the change to the particular service policy.

Some or all of the features may be computer-implemented methods or further included in respective systems or other devices for performing this described functionality. The details of these and other features, aspects, and implementations of the present disclosure are set forth in the accompanying drawings and the description below. Other features, objects, and advantages of the disclosure will be apparent from the description and drawings, and from the claims.

Example Embodiments

The evolution and growth of the mobile Internet is fundamentally changing the way users access the Internet. End users are consuming content and services in new ways, across new devices (e.g., smartphone, netbooks, e-readers, and tablet computers), and interacting with other users in ways that only mobile networks can provide. These developments can be adapted to by transitioning existing mobile networks from transport-centric approaches, where the focus is on delivery of packets, to a service-centric approach, where intelligent end-to-end features deliver services efficiently, cost effectively, and with market differentiation. Accordingly, an improved mobile gateway can be provided that it is aware of not only the subscribers and services and policies to which subscribers are subscribed, but also the remote service resources themselves and the available paths to those services. Further, the mobile gateway can coordinate with other network elements and resources included in a service chain, exporting a portion of this awareness to these other resources while allowing the mobile gateway to be aware of the network location of where a service or application is, when to allow service access, and how to forward subscriber traffic to the relevant service or application in the most efficient manner. The mobile gateway can further extend awareness beyond those services hosted and managed by a particular, affiliated mobile service provider (such as the operator of the gateway) to other services, such as those provided through partnerships and others running “over the top.” For instance, an improved mobile gateway can negotiate tags that can be appended to packets forwarded by the mobile gateway to other network resources allowing the network resources to receive and understand service- and subscriber-specific instructions and methods pertaining to the packet's data flow, as communicated by the mobile gateway through the tags. For instance, a service header can be appended to a dataflow payload identifying a particular service chain path and one or more service policies pertaining to services included in the service chain.

FIG. 1 is a simplified block diagram of an example embodiment of a communication system 100, which can be associated with a mobile wireless network. The example architecture of FIG. 1 includes multiple instances of user client devices 105 a-d, each of which may connect wirelessly to one or more wireless access nodes (e.g., 110) to connect to backhaul links 115 (e.g., Ethernet backhaul) of communication system 100. The backhaul portion 115 of the network can include intermediate links between a local wireless edge network and routers and other network elements providing access to a core network 120, or backbone, of the network and the small subnetworks at the “edge” of a hierarchical network. One or more mobile gateway systems 125 can provide a point of presence to core network 120, allowing client devices 105 a-d to consume one or more services provided by service node devices 160 a-c connected to core network 120. Mobile gateway system 125 can include various network elements 130, 135, 140, 145, 150 for use in exchanging, analyzing, and modifying packets in a network environment. Further, one or more policy servers 155 can be in communication with mobile gateway system 125 to provide, for instance, data for use in authentication, authorization, and accounting (AAA) operations as well as provide subscriber-level intelligence regarding services and service policies associated with each subscriber in one or more particular mobile communication networks.

A mobile gateway system 125 can be connected to Ethernet backhaul 115 and a policy server 155 through one or more intermediate network elements such as aggregation router 130 or home agent router 140, respectively. A packet gateway 135, such as a packet data network gateway (PGW)/serving gateway (PGW/SGW) of an LTE network, can also be provided. In other instances, packet gateway can represent any anchor point in mobile or non-mobile networks, such as a broadband remote access server (BRAS) in a DLS network. Devices 145 and processing units adapted to perform deep packet inspection (DPI) operations can also be provided. An edge routing entity, such as a Provider Edge (PE) router 150 can also be provided to interface with core network 120 and route packets processed by mobile gateway system 125 through core network 120, for instance, to node service devices 160 a-c. As further shown in FIG. 1, communication system 100 and portions of mobile gateway system 125 can be logically broken into various segments such as a device regional area network (RAN) 165, backhaul segment 170, RAN-RAN segment 180, mobile IP segment 185, a network-network segment 190, and network-to-application segment 195. A mobile client device 105 a-d can access a core network 120 using communication system 100 to access core network 120, including the Internet, web-based resources, applications, and services, including services hosted by one or more service node devices 160 a-c.

Each of the elements of FIG. 1 may couple to one another through simple interfaces (as illustrated) or through any other suitable connection (wired or wireless), which provides a viable pathway for network communications. Additionally, any one or more of these elements may be combined or removed from the architecture based on particular configuration needs. Communication system 100 may further include transmission control protocol/Internet protocol (TCP/IP) communications for the transmission or reception of packets in a network, and may also operate in conjunction with a user datagram protocol/IP (UDP/IP) or any other suitable protocol where appropriate and based on particular needs.

Communication system 100 may be tied to various architectures such as the 3rd Generation Partnership Project (3GPP) Evolved Packet System architecture as well as 3GPP access networks, such a GERAN, UTRAN, and E-UTRAN. In some implementations other architectures and access networks can be utilized such as digital subscriber line (DSL), Cable, WiMAX, code division multiple access (CDMA) 2000, WiFi, or the Internet.

User client devices 105 a-d can be associated with clients, customers, or end users wishing to initiate a communication in system 100 via some network. In one particular example, user equipment 105 a-d reflects individuals capable of generating wireless network traffic. The term “endpoint” is inclusive of devices used to initiate a communication, such as a computer, a personal digital assistant (PDA), a laptop or electronic notebook, a cellular telephone, an iPhone, a Blackberry, a smartphone, a tablet, an iPad, an IP phone, or any other device, component, element, equipment, or object capable of initiating voice, audio, video, media, or data exchanges within communication system 100. User client devices 105 a-d may also be inclusive of a suitable interface to the human user, such as a microphone, a display, or a keyboard or other terminal equipment. User client devices 105 a-d may also be any device that seeks to initiate a communication on behalf of another entity or element, such as a program, a database, or any other component, device, element, or object capable of initiating an exchange within communication system 100. User client devices can may also include any device (such as a sensor or meter) used to capture an event (such as temperature), which is then relayed through the network to an application that translates the event into meaningful information. Data, as used herein in this document, refers to any type of numeric, voice, video, media, or script data, or any type of source or object code, or any other suitable information in any appropriate format that may be communicated from one point to another.

In certain example techniques of communication system 100, IP networks may provide users with connectivity to networked resources such as corporate servers, extranet partners, multimedia content, the Internet, and any other application envisioned within IP networks. While these networks generally function to carry data plane (user-generated) packets, they may also implicate control plane and management plane packets. Unlike legacy network technologies (e.g., Integrated Service Digital Network (ISDN), Frame Relay, and Asynchronous Transfer Mode (ATM)) that define separate data and control channels, IP networks carry packets within a single pipe. Thus, IP network elements such as routers and switches can distinguish between data plane, control plane, and management plane packets, enabling each packet to be suitably processed. In general, the data plane (also known as the forwarding plane or the user plane) provides the ability to forward data packets; the control plane provides the ability to route data correctly; the management plane provides the ability to manage network elements.

Many packets handled by a router travel through the router via the data plane. Data plane packets can consist of end-station, user-generated packets that are forwarded by network devices to other end-station devices. Data plane packets may have a transit destination IP address, and they can be handled by normal, destination IP address-based forwarding processes. Service plane packets are a special case of data plane packets. Service plane packets can also be user-generated packets that may be forwarded by network elements to other end-station devices, but they may require high-touch handling by a network element (above and beyond normal, destination IP address-based forwarding) to properly forward the packet. Examples of high-touch handling include such functions as Generic Routing Encapsulation (GRE) encapsulation, quality of service (QoS), Multiprotocol Label Switching (MPLS), virtual private networks (VPNs), and secure socket layer (SSL)/IPsec encryption/decryption. In a mobile network, the data plane may be responsible for packet processing at a session/flow level, multiple flows/session per active user, access control list (ACL)/traffic flow template (TFT) filters per user/flow, tunneling, rate limiting, subscriber scalability, security, and Layer 7 (L7) inspection. These activities and services are typically intensive in terms of memory and packet processing.

Control plane packets can include packets that are generated by a network element (e.g., a router or a switch), as well as packets received by the network that may be used for the creation and operation of the network itself. Control plane packets may have a receive destination IP address. Protocols that “glue” a network together, such as address resolution protocol (ARP), border gateway protocol (BGP), and open shortest path first (OSPF), often use control plane packets. In a mobile network, the control plane may be responsible for session management, call setup support requirements, interfacing with external servers (e.g., querying for per-user policy and control information, such as service node devices 160 a-c), managing high availability for a gateway, and configuring and managing the data plane. Packet overloads on a router's control plane can inhibit the routing processes and, as a result, degrade network service levels and user productivity, as well as deny specific users or groups of users' service entirely.

Typical mobile networks operate with two main control planes, one which dictates the subscriber and service policies, such as authentication, quality of service (QoS), charging, available services, etc., and another control plane which determines network and transport policies, including optimal routing, service reachability (at the IP layer), etc. The former of these control planes is typically specified in mobile working groups, including 3GPP, 3GPP2, and WiMAX Forum, leveraging existing control-plane protocols defined in IETF, such as RADIUS and DIAMETER. The latter of these control planes is typically fully-specified in IETF. Using a communication system 100, such as herein described, these two control planes can be at least partially integrated, via an improved mobile gateway, allowing the mobile gateway to function as a gatekeeper to the network resources (e.g., resources and services provided by service node devices 160 a-c). Such an improved mobile gateway can be aware not only of the identify of an individual subscriber and the corresponding policies that are to be applied to the subscriber, but also aware of the location or source of the service or application on the network, when to allow service access, and how to forward subscriber traffic to the relevant service or application in the most efficient manner, as described in more detail below.

Modern applications can make use of a scalable L4-L7 service routing and insertion architecture. Such architectures can be configured to allow a service provider to integrate new services quickly into the network, and scale these services dynamically as demand accelerates. Additionally, service providers can then deploy services without significant changes to the underlying network layer. In mobile networks, such considerations are further complicated by the need to scale and chain these services dynamically on a per-subscriber. For instance, many nodes in a mobile network, such as billing entities, AAA servers, DPI engines, policy servers, mobile gateways, etc., store subscriber state information, and therefore receive bi-directional flows for the subscribers of which it is aware.

Traditional mobile communications systems can be limited in their ability to scale, for instance, as additional services are added and/or chained. In traditional mobile communications systems, substantial complexity results as operator attempt to scale the services, gateways, and network service entities independently, e.g., with load-balancing technologies. This complexity increases with the introduction of new network services and increasing scale for existing services. For example, as shown in FIG. 2, in an example communications system 200, a set of N services are made available for subscribers of a particular mobile network. Data 205 received over a mobile gateway router 210 and destined for a core network 212 (including access to the Internet) can be processed using one or more of the N services based on the subscription profile of the subscriber. For instance, a combination of any one of a DPI service 215, content filtering service 220, prepaid charging service 225, and other services (e.g., Service N 230) can be offered and chained together for particular subscribers. Further, different subscribers can be subscribed to different services and service combinations (“paths” or “chains”). For examples, a first subscriber can be subscribed to a DPI service 215 and content filtering service 220 while a second subscriber is subscribed to a DPI service 215 and prepaid charging service 225. In some instances, services can be provided by a plurality of distinct remote service nodes, indeed, in some cases, each service can be provided by a distinct service node. As illustrated in FIG. 2, using traditional mobile communications systems, multiple possible logical flows can result from offering multiple different services. Indeed, the number of possible logical flows scales exponentially with the addition of each additional service (where the number of logical flows equals NI, N being the number of available services). Further, in some implementations, each service can be associated with a corresponding virtual local area network (VLAN), introducing additional complexity. Indeed, in some instances, a service chain including multiple services can involve multiple VLANs. Still further, in traditional communications systems, multiple policy-based routing systems can be involved where a service chain includes multiple different services, with traffic steered to the corresponding service nodes based on IP address.

Further complicating subscriber-level management of services in a mobile communications environment are that certain services may need to be delivered in a particular order, relative to other services in a service chain. Further, the delivery of services and order of service delivery may need to be optimized, for instance, so as to route data according to a most efficient network path, based on the respective locations, interfaces, bandwidth, etc. of service nodes providing the services, as well as, the capabilities and features of the network elements acting as a gatekeeper for the routing and provision of services on behalf of mobile subscribers. Moreover, unlike in traditional networks, mobile networks can require a level of subscriber-level customization and tracking in connection with routing and switching decisions within the network. Additionally, many services can be delivered according to one of a plurality of policies available at the respective service, based in part on the identity of the particular subscriber consuming the service. As an example, a VOIP service can offer optional add-on services, billing plans, etc. to which a mobile subscriber may be subscribed.

In accordance with one example implementation, an intelligent mobile gateway can be implemented that provides an intersection between mobility events, routing topology, and service delivery, performing a gatekeeper function for the network. The mobile gateway can retrieve information on all services available on the core network, as well as the location of those services (e.g., an IP address for L3 adjacent, MAC address for L2 adjacent, etc.). As the service architecture and service availability changes, the gateway can be alerted to modify subsequent interactions with and routings of packets to service nodes corresponding to the services. Further, the intelligent mobile gateway can also be provided with subscriber information including subscriber policies for services to which the subscriber is subscribed and negotiate communication of such subscriber-specific data with the service nodes via control plane messages. The mobile gateway can tag packets destined for service nodes over the data plane with such subscriber information to assist in streamlining data flows and service delivery at least partially customized according to the mobile subscriber identity. In some implementation, such tags can also include next-service information, so that the service knows how to forward the packet next. The tag can also include specific processing priority, so that the service, if un-inundated, can choose to either process the packet and perform service, or transparently pass the packet, etc.

Packets tagged and sent out by the mobile gateway for processing by one or more service nodes in a service chain can return packets embodying the results of the services or reporting the status of the service to the mobile gateway. Such return packets can also be returned to a subscriber communication device via the mobile gateway. Return packets received from service nodes in response to the performance of one or more services can also be tagged with information describing service ability (e.g., CPU, memory, etc.), service status, service node status, and/or other service-related feedback information. Indeed, in some instances, return packet tags can include information describing an error, overload condition (e.g., too many concurrent subscribers or service instances), or other unavailability of a service or service node in the chain. For instance, in one example, a first service node after performing a corresponding service may attempt to forward the data flow to a second service node in the chain, only to discover that the second service node is either temporarily or permanently unavailable. The first service node, in returning the results of its service to the mobile gateway, can append its return packets with tags communicating the unavailability of the second service node. In such examples, where return packets include tags identifying status, modifications, and other conditions of service nodes downstream in the service chain, such return tags can be used by the mobile gateway to temporarily or permanently disable one or more services based on the intelligence communicated via the tags. In other examples, the mobile gateway can use such tags to modify, either temporarily or permanently, the corresponding service path, to mitigate the downstream service node unavailability. Additionally, the mobile gateway can coordinate with one or more policy servers or policy control managers (such as described in more detail below) to memorialize or otherwise manage corresponding changes to the service chain.

Turning to FIGS. 3A-3B, simplified block diagram 300 a-b are shown illustrating one possible set of details associated with mobile communication systems, such as mobile communication system 100 illustrated in FIG. 1. In this particular example, a mobile gateway 305 can be provided in communication with a policy control engine 310. The mobile gateway can include at least one processor device and at least one machine-readable memory element. The policy control engine 310 can similarly include at least one processor device and at least one machine-readable memory element. In some instances, mobile gateway 305 and policy control engine 310 can be share one or more processors and/or memory elements. The policy control engine 310 can provide centralized policy control functionality for a plurality of mobile gateways (e.g., corresponding gateways of a single or multiple wireless service providers) or can be integrated with the mobile gateway 305 itself. The mobile gateway 305 can assist in providing a mobile client device 315 with access to a core network 320, such as an MPLS/IP backbone network. The mobile gateway 305 can further act as a gatekeeper for packets destined for or returned from one or more service nodes 325 in response to data transmitted to the gateway 305 from a mobile client device 315 via a wireless network. Service nodes 325 can provide a wide-variety of services that can be dynamically added and supplemented. Services can include, for examples, a hardware security module service, firewall services, intrusion prevention services, intelligent messaging filter, various web-based applications and services, voice-over-IP services, web video services, among other examples.

FIG. 3A illustrates certain control and management plane communications between mobile gateway 305, policy control engine 310, service broker/service directory (SB/SD) module 330 to establish service and subscriber awareness within the IP network (i.e., 320) infrastructure. Each service node (e.g., 325, 340) can register 335 a-b with the SB/SD module 330 communicating information describing the service node including what services are provided by the service node, the network location of the service node, an identification of the entity maintaining or managing the service node, etc. In instances where a service provided by a particular service node (e.g., 325) includes multiple service policies effecting how the service is delivered and/or consumed, service policy information can also be shared with the SB/SD module 330. Information retrieved 335 a-b from the service nodes 325, 340 by the SB/SD module 330 can be stored and maintained in one or more data structures, such as databases maintained by the SB/SD module 330. SB/SD module 330 can provision or be provisioned with a data plane service path for each service registered at the SB/SD module 330. Further, the SB/SD module 330 can be provisioned with at least one service template describing a listing of services that can be applied in the data plane of network 325.

The mobile gateway 305 and/or policy control engine 310 can also communicate with SB/SD module 330 in connection with the identification of service path (or service chain) data plane information corresponding to services registered at the SB/SD module 330. SB/SD module 330 can share this data with the mobile gateway 305 and/or policy control engine 310. In some examples, mobile gateway 305 can communicate with the SB/SD module 330 and share the knowledge obtained from the SB/SD module 330 with policy control engine 310. Indeed, in one particular example, mobile gateway 305 can register with SB/SD module 330, for instance, in order to be able to determine which services are available in the network. The mobile gateway 305 can identify one or more services available to subscribers of a mobile service making use of mobile gateway 305 and communicate 342 with SB/SD module to obtain up-to-date service path data corresponding to that service. Upon retrieving this information, in one particular example, the mobile gateway 305 can communicate 345 this information to policy control engine 310. In this way, mobile gateway 305, policy control engine 310 and SB/SD module 330 can maintain consistent records of the data plane service path and policies corresponding to each service registered at the SB/SD module 330 and relevant to the mobile gateway 305 (and policy control engine 310). Further, shorthand codes, names, or other identifiers can be assigned to each service path and service policy and consistently maintained across mobile gateway 305, policy control engine 310, and SB/SD module 330 to assist in communicating and using this information in routing and handling of mobile service requests.

Further, in some implementations, the provision of the SB/SD module 330 can also allow edge routers in the network to intelligently utilize or route data to particular mobile gateways registered with the SB/SD module 330. A plurality of mobile gateways can be provided and made available as a service in the chain as viewed from the perspective an edge router. Return service paths, policies, identifiers, and other data can be maintained for mobile gateways registered through the SB/SD module. Such data can be used by other edge nodes and routers on the network, including service nodes (e.g., 325). Allowing edge routers to also utilize intelligence maintained in an SB/SD module to intelligently specify a (e.g., return) service chain can, thereby further improve overall routing within a particular service-centric network environment.

Turning to FIG. 3B, certain example data plane communications are illustrated, for instance, involving a Service B provided by service node 325. A data flow 350 can be received originating from a subscriber's mobile client device 315 requesting web resources (such as a web page from www.website.com) accessible over core network 320. In connection with or in advance of this data flow 350, mobile client device 315 can be authorized and/or authenticated using a policy control engine 310. Policy control engine 310 can be implemented, at least in part, as an AAA server, home location register (HLR), policy charging and rules function (PCRF), or other module, function, or system adapted to maintain details of each mobile device subscriber authorized to use the network. Further, policy control engine can, in some implementations, assign an IP address to the subscriber device 315. In some instances, an IP address assigned to a particular subscriber device (e.g., 315) can be a temporary IP address, one that is re-used across a plurality of subscriber devices authorized to use the network. Further, policy control data maintained for individual subscribers can include and be indexed by a subscriber international mobile subscriber identity (IMSI) assigned to the subscriber. In connection with the authorization and authentication of the mobile device 315, policy control data 355 can be retrieved by the policy control engine 310 corresponding to the particular subscriber and forwarded to the mobile gateway 305. In some implementations, policy control data 355 can be forwarded to the mobile gateway 305 in response to a request from mobile gateway 305 for such information, in connection with a dataflow identified as originating from a corresponding subscriber device.

Policy control data 355 can include, in some instances, an identification of the subscriber (e.g., the subscriber IMSI), an assigned IP address for the corresponding subscriber device, together with a service path name corresponding to the subscriber, and one or more service policy identifiers corresponding to the subscriber and related to one or more of the services included in the subscriber's particular service path. As different subscribers can be subscribed to different services, a particular service path can be associated with a particular subscriber's account based on the set of services to which the subscriber is subscribed. In some implementations, a plurality of different service paths can be identified and maintained that correspond to a particular subscriber. For instance, in some examples, the service path (and relevant service policies) can be based on the type of dataflow or service request received from the subscriber device. Further, information returned in policy control data 355 identifying particular policies associated with or subscribed to by a subscriber can be delivered.

The mobile gateway 305 can use the received policy control data 355 to route packets to service nodes corresponding to or included in the service path identified in the policy control data 355. Indeed, the mobile gateway can append, tag, or otherwise include some or all of the received policy control data 355 in data flow 350 packets forwarded 360 to core network 320 over the data plane. For instance, a packet 365, including payload 375, can be tagged with a service header 370 that includes a service path identifier 372 and service policy identifier 374. Other data 380 can also be appended to the payload 375, such as a key used to distinguish between distinct subscriber devices that have each been assigned the same, shared IP address. Such key data, included in other data 380, can be appended to each packet in a particular data flow (e.g., where non-stateful, non-intelligent service nodes are involved in the service chain), or alternatively to only some (e.g., the first or last) packets in the flow (e.g., where all service nodes in a service chain are intelligent/stateful).

Using the identified service path included in one or more packets of data flow 360, network elements downstream from mobile gateway 305, including service nodes included in the service chain, can identify how the packets are to be forwarded (or “hop”) through core network 320 on to subsequent service nodes in the service chain specified by the service path name. Neither the individual service nodes nor the locations of said nodes included in the service chain need be explicitly identified in the service path. Instead, in some implementations, a service path name (e.g., 372) can be provided that corresponds to a particular pre-defined combination and/or order of services to be accessed, called, consumed, etc. in connection with particular data flows of a given subscriber. Accordingly, a service path can be one of a plurality of pre-defined paths over service nodes in the network 320.

Further, one or more service policy names (e.g., 374) can be included in data flow 350 packets for use by service nodes (e.g., 325) receiving the packets of data flow 350. A particular service policy name can be pre-defined for a particular policy of a particular service provided by a particular service node. The service policy name can be the same policy name shared with the SB/SD module during registration of the service by the corresponding service node. The service node 325, upon receiving the packets of data flow 350, can inspect the packets and identify the service policy name corresponding to the service(s) provided by the service node 325. The service node can then tailor the service, utilizing the received packets 350, according to the policy defined in the service policy name included in the packets.

Turning to FIG. 4A-4B, simplified block diagrams 400 a-b are shown illustrating some potential operations associated with the present disclosure. In the implementation of FIG. 4A, and by way of illustrating certain principles described above, a new service, for example, a content filtering service provided by service node 325, registers 402 with SB/SD module 330 allowing SB/SD module 330 to add the content filtering service to its services template, catalog policies of the service, and establish one or more service paths including or corresponding to the content filtering service. Existing services can also be modified, the respective service nodes hosting the service, sending update data to the SB/SD module 330 to communicate the change (such as a change to the location of the service node or a change in the policies of the service) to other network elements, such as mobile gateway 305. The SB/SD module 330 can share 430 this information with mobile gateway 305 in response to a request 435 from the mobile gateway 305. Mobile gateway 305 can further forward all or a portion of this information to policy control engine 310, including names (or other identifiers) corresponding to the service path(s) and service policies involving the newly added content filtering service of service node 325. Accordingly, records of service paths and policies maintained by policy control engine can be correspondingly updated to reflect the addition of the new content filtering service or modification of an existing service.

Building upon the illustrative example of FIG. 3A, FIG. 4A shows that subscriber data flow 350 can be received by mobile gateway 305 from a mobile device 315 associated with a particular subscriber. The data flow 350 can identify a request for one or more resources associated with a website hosted by a particular web server (e.g., 405). Mobile gateway 305 can obtain policy control data 355 retrieved by policy control engine 310 in connection with authentication and authorization of the subscriber client device 315. The policy control data 355 can include an identification of a particular service path associated with the subscriber as well as policies to which a subscriber has opted-in to. In this example, the retrieved service path identifier, “Path 1,” retrieved for the subscriber in policy control data 355, corresponds to a subscriber's subscription to the content filtering service (hosted by service node 325) and an intrusion prevention service hosted by a service node 410. It can be determined that the data flow 350 from the subscriber device 315 should be processed according to the content filtering and intrusion prevention services subscribed to by the subscriber. Accordingly, mobile gateway 305 can append data to one or more packets in the data flow 350 forwarded onto the network 320, the data (e.g., 372) identifying the particular service path mapped to “Path 1.” The mobile gateway 305 can, with the assistance of other network elements in network 120 and service nodes 325, 340, 410 route packets in data flow 350 according to the predefined data plane service path corresponding to “Path 1” as negotiated between service node 325, SB/SD module 330, mobile gateway 305, and other relevant network elements.

Further data (e.g., 374) can be appended to one or more packets in the data flow 350 forwarded onto the network 320 that identifies policies of one or more of the content filtering and intrusion prevention services associated with the subscriber. For instance, the content filtering service can have three categories (or policies) corresponding to varying levels of content filtering that can be provided using the content filtering service: one category for content filtering for children, one for teenagers, and one for young adults. The category of content filtering subscribed to by the subscriber can be identified in the data 374 included in service header 370 appended to a packet 365 of the data flow 350. For instance, as shown in FIG. 4A, depending on the subscriber's policy (i.e., child, teen, or young adult), a different service header 370 value can be appended to the payload 375 of the packet 365 a-c forwarded on to the core network 320, thereby identifying to the service node (i.e., 325) the service policy associated with the packet.

When service node 325, hosting the content filtering service, receives packets tagged with service headers indicating that the packets are to be processed using content filtering service, the service node can identify policy name tags included in the service header data 370 appended to the packet payload 375. For instance, in one example, a packet 365 a is received by service node 325. The service header 370 of packet 365 a is parsed by the service node 325 to identify policy identifier 374 “100.” The service node 325 can further identify that policy identifier “100” corresponds to child-level content filtering. Accordingly, service node 325 can perform child-level content filtering on the received packet as well as other packets in the data flow.

For some services, subscribers can specify, subscribe to, or opt-in to various policies or service levels associated with the service. Services can be delivered based on the subscribed-to policy. Among other advantages, the above system can simplify management of subscribers' policy changes. For instance, a user can request that a service level or policy for a particular service be modified. Such a request can be nearly instantaneously communicated to the mobile gateway 305 and/or policy control engine 310 so that subsequent data flows, originating from a subscriber device, are tagged with policy identifiers (e.g., 374) corresponding to the modified policy selection. For instance, continuing with the example of FIG. 4A, a subscriber can elect to change their content filtering policy from child to young-adult. After updating the data records of policy control engine 310, subsequent data flows involving the content-filtering service can be tagged with policy identifiers (e.g., equal to “102”) corresponding to the young-adult-level content filtering, such as shown in packet 365 c.

In some cases, as in the example of FIG. 4A, a service path can include services provided by multiple service nodes (e.g., 325, 410). Indeed, service policy identifiers included in service header 370 can be used to identify multiple policies, such as the policy of each distinct service in the service chain. In some cases, multiple different service policy identifiers (e.g., 374) can be included in the service header 370 each corresponding to a separate policy, while in other instances a single service policy identifier for the subscriber can map to a plurality of service policies subscribed to by a single subscriber, each policy corresponding to a separate service. Accordingly, a mobile gateway 305 can be used to assist in providing efficient routing and customization of data flows and mobile services based on the identity of the individual subscriber.

Turning to FIG. 4B, another simplified block diagram 400 b is shown illustrating some other potential operations associated with the present disclosure. In some instances, an IP address can be assigned to a mobile subscriber in connection with the delivery of network (e.g., IP) services to a mobile device (e.g., 315, 450) associated with the mobile subscriber. In some instances, the IP address assigned to a mobile subscriber, such as in connection with authorization and authentication of the mobile subscriber (e.g., at 355, 455), can also be appended to a packet (e.g., 470, 475) transmitted over the network 320 for use by service nodes (e.g., 325, 410) providing a service for the mobile subscriber.

In some instances, mobile gateway 305 and policy control engine 310 can assign mobile subscribers IP addresses from a limited set of available IP addresses. Indeed, a policy control engine 310, for example, can assign the mobile subscriber one of the IP addresses in connection with a first transaction or session and, later, assign the same mobile subscriber a different IP address in connection with another transaction or session. Further, the number of mobile subscribers served by the mobile gateway can exceed the number of available IP addresses over a particular time period forcing the policy control engine 310 to occasionally re-use a recently- or concurrently-assigned IP address for assignment to another, distinct mobile subscriber. For instance, in the example illustrated in FIG. 4B, mobile subscriber 315 requests data for retrieval over IP/MPLS network 320, such as a website (such as described in connection with the example of FIG. 4A). During this first transaction, policy control engine 310 has assigned (at 355) mobile subscriber 315 an IP address of 1.10.1.1. Additionally, a particular service path name and service policy name can be retrieved corresponding to the particular mobile subscriber 315. Another mobile subscriber 450 can also be assigned IP address 1.10.1.1 by policy control engine 310. The other mobile subscriber 450 can have its own corresponding subscriber data 455 including a service path and service policy name. In this particular example, mobile subscribers 315 and 450 can also consume an overlapping set of services, with each subscribed, in this example, to a content filtering service hosted by service node 325. The respective service paths of mobile subscribers 315 and 450, while both including the content filtering service, can, however, also include different network “hops.” As an example, a packet (e.g., 470) corresponding to mobile subscriber's 315 data flow can have a first hop 365 to service node 325, a second hop 420 to service node 410, and a third hop 425 to web server 405. While the path of the other mobile subscriber 450 also includes a hop 465 to service node 325, the service path corresponding to the subscription of the other mobile subscriber 450 does not include the intrusion prevention service provided by service node 410, skipping (e.g., 485) instead to web server 405.

Given the overlap in service paths, in some instances, two separate packets can be transmitted to service node 325, each packet assigned the same IP address (e.g., 1.10.1.1) despite one packet originating from mobile subscriber 315, and the other originating from mobile subscriber 450. In order to further assist service node 325 in differentiating between the two packets, additional data 380 can be appended to the service header 370, such as a unique, IP-address-independent-identifier (e.g., a generic routing encapsulation (GRE) key, corresponding MSISDN, IMSI, MAC address, etc.) or other data, allowing the service node to identify how each packet is to be appropriately processed, billed, etc. For instance, each of mobile subscribers 315 and 450 can be subscribed to different content filtering policies. While the respective service headers 370 a, 370 b of mobile subscribers 315, 450 can include identifications (e.g., 374 a, 374 b) of the subscriber's preferred policies (as well as other identifiers, such as service path identifiers 372 a, 372 b), additional data 380 a, 380 b can be useful to ensure that the service node 325 does not confuse traffic from two different mobile subscribers 315 and 450 having the same IP address. For instance, in one example, mobile subscriber 315 can change their content filtering service policy, with the change reflected in substantially real time and memorialized in service headers sent by the mobile gateway 305 following the change. However, in an example where the mobile subscriber 315 changes their policy to a policy matching the policy of another mobile subscriber sharing the same IP address (e.g., subscriber 450), service node (e.g., 325) may potentially confuse the traffic of mobile subscriber 315 with that of the other subscriber, rather than recognizing that the traffic originates from subscriber 315 according to the subscriber's modified service policy.

In addition to an IP-address-independent-identifier or other data used to assist service nodes in differentiating between different mobile subscribers, additional or alternative data 380 can also be appended to payloads (e.g., 375 a, 375 b), such as to assist with billing of services provided by one or more service nodes (e.g., 325, 340, 410, etc.). In some instances, data reflecting a subscriber's account details may be desirable to share with outside service nodes. It may be equally desirable to protect the privacy of the subscriber's identity, providing an incentive to make any tags identifying a subscriber as generic as possible, thereby sharing some relevant subscriber account details while masking the remainder of the subscriber's information. For example, accounting start and/or end dates corresponding to a particular subscription's billing cycle can be appended to the service header 370 and payload 375. The accounting start/end date can correspond to a mobile subscriber's subscription to one or more particular services, for use, for example, in tracking traffic volume over a particular billing period. This data can be used by service nodes in connection with billing calculations, without exposing more direct subscription information to service nodes or network elements. Other data can also be appended by a mobile gateway 305 to payloads 375 of packets forwarded by the mobile gateway 305 to assist service nodes in providing services to mobile subscribers. Such data can be maintained by a policy control engine 310 or other data management utility and can be communicated, shared, maintained, and negotiated, for example, with other service nodes (e.g., 325, 340, 410) via the SB/SD module 330.

Using principles, functionality, and systems similar to those described above, mobile service routing and chaining can be achieved based on subscriber profile information stored in policy control records, such as in connection with an AAA, HLR, HSS, or policy server. With such functionality, mobile IP and services architectures can further adopt a cloud-like mobile services environment or architecture, implementing stateful, inline services to deploy service infrastructure. Accordingly, a mobile gateway node can understand not only subscribers and subscriber services but also service resources within the network infrastructure and build a dynamic forwarding plane. Indeed, in some implementations, a mobile operator may abstract the mobile gateway itself, with service routing established from the first point of IP presence (e.g., the mobile cellsite router, aggregation router, etc.) to a mobile gateway system that resides at least in part in a cloud computing environment. In other instances, a mobile operator may abstract only the services on the Internet-side of the mobile gateway, and instantiate services through the mobile gateway itself, where service routing is established directly from the gateway upstream interface to a service entity that resides in a cloud computing environment. Indeed, in some instances, a cloud-based mobile services environment can be realized, with the cloud computing environment containing virtual instances of a plurality of service nodes. The cloud computing environment may constantly be moving this virtual instance in order to optimize datacenter usage, resulting in multiple, dynamic changes to the service chain and routing within the service chain. Using the principles explained above, a communication system can be adapted to handle dynamic and request updating of service chain records and routing information, allowing mobile gateways to be notified and updated as a virtual service instance is modified.

Further, in some implementations, existing technologies and protocols can be leveraged using the principles described above. For instance, RADIUS and or DIAMETER can be used to implement out-of-band control plane signaling between service edge nodes, service brokers, and an improved mobile gateway. For instance, RADIUS Access Accept can be used to convey subscriber profile information augmented with forwarding function information, such as used in RADIUS Vendor-Specific Attributes (VSA), RADIUS Change of Authorization (CoA), or DIAMETER Re-Authorization Requests (RaR). Appropriate service path tunnels and transport mechanisms can then be built to support the delivery of the particular service chain based on the information conveyed.

Turning to FIG. 5, a simplified flowchart 500 is shown of an example technique for providing a service-aware mobile gateway. A data flow can be received 505 over a mobile network from a mobile client device associated with a first mobile subscriber. Additionally, subscriber data can be retrieved 510 for the first mobile subscriber. For instance, the subscriber can be retrieved (or received) from a policy control engine maintaining subscriber data for a plurality of subscribers in connection with the authentication of the mobile subscriber. The received subscriber data can include identification of at least one service path corresponding to the first mobile subscriber and at least one service policy corresponding to the first mobile subscriber. Packets in the data flow can be tagged 515 with service header data identifying the at least one first service policy. The service header data can also identify the at least one service path as well as other identification information such as the first mobile subscriber's IMSI and assigned IP address. Routing of the at least one packet over a core network, together with the service header, to service nodes in the identified service path can be initiated 520, each service node performing or providing at least a portion of a service included in a service subscription of the first mobile subscriber. The identified service path can include data used to realize particular hops over a core network to the one or more service nodes in the path. In some implementations the service header can further identify a service path corresponding to the first mobile subscriber as well as other data, such as an IP address, routing key, or other data. The service header can be used by network elements downstream from the mobile gateway, including service nodes providing services in the service subscription of the first mobile subscriber, to handle, route, and process the dataflow of the packet to which the service header is appended.

Note that in certain example implementations, providing a service-aware mobile gateway such as described in the implementations and related functions outlined herein may be implemented by logic encoded in one or more tangible machine-readable media (e.g., embedded logic provided in an application specific integrated circuit [ASIC], digital signal processor [DSP] instructions, software [potentially inclusive of object code and source code] to be executed by a processor, or other similar machine, etc.). In some of these instances, a memory element (e.g., such included in mobile gateway 305 or policy control engine 310) can store data used for the operations described herein. This includes the memory element being able to store software, logic, code, or processor instructions that are executed to carry out the activities described in this Specification. A processor can execute any type of instructions associated with the data to achieve the operations detailed herein in this Specification. In one example, the processor (e.g., such included in mobile gateway 305 or policy control engine 310) could transform an element or an article (e.g., data) from one state or thing to another state or thing. In another example, the activities outlined herein may be implemented with fixed logic or programmable logic (e.g., software/computer instructions executed by a processor) and the elements identified herein could be some type of a programmable processor, programmable digital logic (e.g., a field programmable gate array [FPGA], an erasable programmable read only memory (EPROM), an electrically erasable programmable ROM (EEPROM)) or an ASIC that includes digital logic, software, code, electronic instructions, or any suitable combination thereof.

In one example implementation, networking devices such as those shown or described in connection in any one of the above figures, may include software in order to achieve any of the functions outlined herein. Such networking devices can include memory elements for storing information to be used in achieving the functions and activities discussed herein. Additionally, such networking devices can further include a processor that can execute software or an algorithm to perform the operations and features disclosed in this Specification. These devices may further keep information in any suitable memory element [random access memory (RAM), ROM, EPROM, EEPROM, ASIC, etc.], software, hardware, or in any other suitable component, device, element, or object where appropriate and based on particular needs. Any of the memory items discussed herein (e.g., database, data structure, data record, tables, trees, cache, etc.) should be construed as being encompassed within the broad term “memory element.” Similarly, any of the potential processing elements, modules, and machines described in this Specification should be construed as being encompassed within the broad term “processor.” Each of the network elements can also include suitable interfaces for receiving, transmitting, and/or otherwise communicating data or information in a network environment.

Note that with the example provided above, as well as numerous other examples provided herein, interaction may be described in terms of two, three, or four network elements, devices, or components. However, this has been done for purposes of illustration and example only. In certain cases, it may be easier to describe one or more of the functionalities of a given set of flows by only referencing a limited number of network elements. It should be appreciated that the described services and systems (e.g., 100) (and corresponding teachings) can be readily scalable and can accommodate a large number of components, as well as far more complicated/sophisticated arrangements and configurations. Accordingly, the examples provided should not limit the scope or inhibit the broad teachings of the above systems and services as potentially applied to a myriad of other architectures.

It is also important to note that the steps in the preceding flow diagrams illustrate only some of the possible signaling scenarios and patterns that may be executed by, or within, a communication system. Some of these steps may be deleted or removed where appropriate, or these steps may be modified or changed considerably without departing from the scope of the present disclosure. In addition, a number of these operations have been described as being executed concurrently with, or in parallel to, one or more additional operations. However, the timing of these operations may be altered considerably. The preceding operational flows have been offered for purposes of example and discussion. Substantial flexibility is provided by a communication system (e.g., 100) in that any suitable arrangements, chronologies, configurations, and timing mechanisms may be provided without departing from the teachings of the present disclosure.

Although the present disclosure has been described in detail with reference to particular arrangements and configurations, these example configurations and arrangements may be changed significantly without departing from the scope of the present disclosure. For example, although the present disclosure has been described with reference to particular communication exchanges involving certain endpoint components and certain protocols (e.g., IGP, IGMP, etc.), communication system 10 may be applicable to other protocols and arrangements. Moreover, the present disclosure is equally applicable to various technologies, aside from DSL architectures, as these have only been offered for purposes of discussion. Along similar lines, communication systems implementing some or all of the above-disclosed features can be extended to any Multi-Protocol Label Switching (MPLS) architecture. Similarly, the teachings presented herein can also be used in loop free alternate (LFA) configurations in other embodiments.

Thus, particular embodiments of the subject matter have been described. Other embodiments are within the scope of the following claims. In some cases, the actions recited in the claims can be performed in a different order and still achieve desirable results. In addition, the processes depicted in the accompanying figures do not necessarily require the particular order shown, or sequential order, to achieve desirable results. In certain implementations, multitasking, cloud, and parallel processing may be advantageous. 

1. A computer-implemented method comprising: receiving a first data flow from a mobile network relating to a first mobile subscriber; receiving first subscriber data for the first mobile subscriber, the first subscriber data identifying at least one first service path corresponding to the first mobile subscriber and at least one first service policy corresponding to the first mobile subscriber, the at least one first service path including a first set of network service nodes in a plurality of network service nodes; and initiating routing of at least one packet of the first data flow over a network according to the first service path, the at least one packet corresponding to a request for at least one web-based resource, wherein initiating routing of the at least one packet includes appending the at least one packet with service header data identifying the at least one first service policy; wherein each service node in the plurality of network service nodes performs at least one service based at least in part on received request data, each service node in the first set of service nodes performs a service defined in a service subscription of the first mobile subscriber, and at least one particular service node in the first set of network service nodes performs a particular service based at least in part on the at least one first service policy.
 2. The method of claim 1, wherein the first service path is one of a plurality of predefined paths.
 3. The method of claim 2, further comprising: receiving data identifying a registration of a new service path for inclusion in the plurality of predefined paths, the new path including a new service provided using a particular service node; and storing, in at least one memory device, path data for use in initiating routing of data through the new service path.
 4. The method of claim 2, wherein each path in the plurality of predefined paths is adapted to route data to at least one service provided by a service node in the plurality of network service nodes.
 5. The method of claim 1, wherein the service header data further identifies the at least one first service path name.
 6. The method of claim 1, wherein the first path specifies an ordered routing of the at least one packet to each of the service nodes in the first set of service nodes.
 7. The method of claim 1, wherein the first subscriber data is received from a policy control engine, the policy control engine maintaining subscriber data for each of a plurality of mobile subscribers.
 8. The method of claim 1, further comprising: receiving at least one return packet, from at least one of the first set of network service nodes, corresponding the first data flow, the at least one return packet including data identifying a condition of a first service node in the first set of network service nodes; modifying, at least temporarily, an aspect of the at least one first service path based at least in part on the identified condition of the first service node.
 9. The method of claim 1, further comprising: receiving a second data flow from the mobile network relating to a second mobile subscriber; receiving second subscriber data for the second mobile subscriber, the second subscriber data identifying at least one second service path corresponding to the second mobile subscriber and at least one second service policy corresponding to the second mobile subscriber; and initiating routing of at least one packet of the second data flow over the network according to the second service path, the at least one packet of the second data flow corresponding to a request for at least one web-based resource, wherein initiating routing of the at least one packet of the second data flow includes appending the at least one packet of the second data flow with service header data identifying the at least one second service policy; wherein each service node in the second set of service nodes performs a service defined in a service subscription of the second mobile subscriber, at least one particular service node in the second set of network service nodes performs a particular service based at least in part on the at least one second service policy, and the second set of service nodes is different from the first set of service nodes.
 10. The method of claim 1, further comprising: receiving data identifying a change to the service subscription of the first mobile subscriber; receiving a second data flow from the mobile network relating to the first mobile subscriber; receiving modified subscriber data for the first mobile subscriber, the modified subscriber data including subscriber data different from the first subscriber data, based at least in part on the change.
 11. The method of claim 1, wherein the at least one first policy corresponds to a particular service provided by at least one particular network service node in the first set of network service nodes, wherein the particular service is adapted to be performed in accordance with at least one of a plurality of particular policies, and the at least one first policy is one of the plurality of particular policies.
 12. The method of claim 1, further comprising: generating a first IP-address-independent-identifier corresponding to the first mobile subscriber; and wherein the service header data further includes the first IP-address-independent-identifier, the first IP-address-independent-identifier differentiating the first mobile subscriber from a second mobile subscriber sharing a first IP address.
 13. The method of claim 1, wherein the first subscriber data includes accounting date data corresponding to the service subscription of the first mobile subscriber, the service header data further includes the accounting date data, and the particular service node performs the particular service further based, at least in part, on the accounting date data.
 14. The method of claim 1, wherein the services provided by the first set of service nodes are included in a plurality of services provided by the plurality of service nodes, the plurality of services including at least two of a firewall service, deep packet inspection (DPI) service, content filtering service, intrusion prevention service, intelligent message filtering service, VOIP service, ad insertion service, and online video service.
 15. Logic encoded in non-transitory media that includes code for execution and when executed by a processor is operable to perform operations comprising: receiving a first data flow from a mobile network relating to a first mobile subscriber; receiving first subscriber data for the first mobile subscriber, the first subscriber data identifying at least one first service path corresponding to the first mobile subscriber and at least one first service policy corresponding to the first mobile subscriber, the at least one first service path including a first set of network service nodes in a plurality of network service nodes; and initiating routing of at least one packet of the first data flow over a network according to the first service path, the at least one packet corresponding to a request for at least one web-based resource, wherein initiating routing of the request data includes appending the at least one packet with service header data identifying the at least one first service policy; wherein each service node in the plurality of network service nodes performs at least one service based at least in part on received request data, each service node in the first set of service nodes performs a service defined in a service subscription of the first mobile subscriber, and at least one particular service node in the first set of network service nodes performs a particular service based at least in part on the at least one first service policy.
 16. A system comprising: a mobile gateway including: at least one processor device; at least one memory element; a routing module, adapted when executed by the at least one processor device to: receive a first data flow from a mobile network relating to a first mobile subscriber; receive first subscriber data for the first mobile subscriber, the first subscriber data identifying at least one first service path corresponding to the first mobile subscriber and at least one first service policy corresponding to the first mobile subscriber, the at least one first service path including a first set of network service nodes in a plurality of network service nodes; and initiate routing of at least one packet of the first data flow over a network according to the first service path, the at least one packet corresponding to a request for at least one web-based resource, wherein initiating routing of the request data includes appending the at least one packet with service header data identifying the at least one first service policy; wherein each service node in the plurality of network service nodes performs at least one service based at least in part on received request data, each service node in the first set of service nodes performs a service defined in a service subscription of the first mobile subscriber, and at least one particular service node in the first set of network service nodes performs a particular service based at least in part on the at least one first service policy.
 17. The system of claim 16, further comprising: a policy control engine maintaining subscriber data for a plurality of mobile subscribers, the subscriber data for each mobile subscriber in the plurality of mobile subscribers including at least one particular service path name corresponding to a subscription of the corresponding mobile subscriber, the subscription for each mobile subscriber in the plurality of mobile subscribers including at least one service from a plurality of available services to which the corresponding mobile subscriber is subscribed, and at least one particular service policy name corresponding to at least one of the services to which the corresponding mobile subscriber is subscribed; wherein the routing module receives the first subscriber data for the first mobile subscriber from the policy control engine.
 18. The system of claim 17, wherein the policy control engine is further configured to: receive a subscription modification request relating to at least one mobile subscriber in the plurality of mobile subscribers; and modify the subscriber data in accordance with the subscription modification request.
 19. The system of claim 18, wherein the subscription modification request identifies a change to a particular service policy of a particular service subscribed to by a particular mobile subscriber in the plurality of mobile subscribers, and a corresponding service policy name corresponding to the particular mobile subscriber is modified to reflect the change to the particular service policy.
 20. The system of claim 18, wherein the subscription modification request identifies a change to the services to which a particular mobile subscriber in the plurality of mobile subscribers is subscribed, and a service path corresponding to the particular mobile subscriber is modified to reflect the change to the services to which the particular mobile subscriber is subscribed. 